Command Reference#

Global Options#

  • --log-level: Sets the log level. Accepted values are: “trace”, “debug”, “info”, “warn”, “error”, “off”. Default is “warn”.

  • --format: Sets the CLI output format. Accepted values are: “text”, “json”. Default is “text”.

Subcommands#

version#

Displays CLI version information as JSON.

nvattest version
# {
#   "nvattest": "1.0"
# }

collect-evidence#

Collects device evidence from live devices. If global output format is json, the output will be emitted as a JSON document. This evidence can be saved and used with attest --gpu-evidence-source=file or attest --nvswitch-evidence-source=file. [optional]

Options: (see nvattest collect-evidence -h for more information):

  • --device {gpu|nvswitch}: Device to attest. Default is gpu.

  • --nonce: Nonce for the attestation in hex format.

Example commands:

nvattest collect-evidence --device gpu

nvattest collect-evidence --device gpu --format json

Output:#

The output JSON document will contain the following fields:

  • evidences: the attestation evidences as a JSON array (one entry per device)

  • result_code: NVAT SDK return code

  • result_message: NVAT SDK return code string

Example output (truncated):

{
  "evidences": [
    {
      "arch": "HOPPER",
      "nonce": "123..",
      "evidence": "EeAB..",
      "certificate": "LS0t.."
    },
    {
      "evidence": "RfdT..",
      // ...
    }
  ],
  "result_code": 0,
  "result_message": "Ok"
}

attest#

Runs attestation for a given device type. If global output format is json, the output will be emitted as a JSON document.

Options: (see nvattest attest -h for more information):

  • --device {gpu|nvswitch}: Device to attest. Default is gpu.

  • --nonce: Nonce for the attestation in hex format.

  • --verifier {local|remote} (default: local)

  • --gpu-evidence-source {nvml|file} (default: nvml)

  • --gpu-evidence-file <path>: JSON evidence file to use when --gpu-evidence-source=file

  • --nvswitch-evidence-source {nscq|file} (default: nscq)

  • --nvswitch-evidence-file <path>: JSON evidence file to use when --nvswitch-evidence-source=file

  • --relying-party-policy <path>: Rego policy file

  • --rim-url: Base URL for the NVIDIA RIM service (e.g.: https://rim.attestation.nvidia.com)

  • --ocsp-url: Base URL for the OCSP responder (e.g.: https://ocsp.ndis.nvidia.com)

  • --nras-url: Base URL for the NVIDIA Remote Attestation Service (e.g.: https://nras.attestation.nvidia.com)

  • --service-key: Service key used to authenticate remote service calls to attestation services. To obtain a service key, follow the NGC Onboarding Guide.

Behavior:

  • Evidence sources are configured through the {device}-evidence-source options.

    • By default, live evidence is collected through the corresponding device drivers/libraries.

    • File evidence sources can be used to verify evidence that was collected ahead of time for testing or as part of a custom attestation workflow.

    • Note: When an evidence file is provided, the correct nonce corresponding to that evidence must be supplied through the --nonce option.

  • If a Rego policy is supplied, attestation will fail with a specific exit code when the policy does not match.

JSON Output#

The output JSON document will contain the following fields:

  • claims: the attestation claims as a JSON array (one entry per device)

  • detached_eat: the signed detached EAT bundle containing the claim set

  • result_code: NVAT SDK return code

  • result_message: NVAT SDK return code string

Example output (truncated):

{
  "claims": [
    {
      "x-nvidia-device-type": "gpu",
      "secboot": true,
      "x-nvidia-gpu-driver-version": "575.32"
      // ...
    }
  ],
  "detached_eat": [
  	[
  		"JWT",
  		"the-overall-jwt"
  	],
  	{
  		"GPU-0": "jwt-for-this-submodule", 
  		"GPU-1": "jwt-for-this-submodule",
  		// ...
  	}
  ],
  "result_code": 0,
  "result_message": "Ok"
}

See the SDK’s claims schema documentation for the complete schema of the claims.

Example CLI commands#

  • Local GPU attestation:

nvattest attest --device gpu --verifier local

  • Attest using pre‑collected GPU evidence and a custom policy, emitting the results as JSON:

nvattest attest --device gpu \
  --gpu-evidence-source file \
  --gpu-evidence-file ./path/to/gpu_evidence.json \
  --relying-party-policy ./path/to/policy.rego \
  --format json

  • Attest using remote verifier with a service key:

export NV_ATTESTATION_SERVICE_KEY="your-service-key"
nvattest attest --device gpu \
  --verifier remote \
  --nras-url https://nras.attestation.nvidia.com

Note: To obtain a service key, refer to the NGC Onboarding Guide for instructions on setting up your NGC account and generating authentication keys.

  • Rego policy example:

Supply a Rego file that defines package policy and a boolean rule nv_match. If nv_match evaluates to false, the attestation failes with error code `NVAT_RP_POLICY_MISMATCH.

See here for more information

Example rego policy:

package policy
import future.keywords.every
default nv_match := false
nv_match {
  every result in input {
    result["x-nvidia-device-type"] == "gpu"
    result.secboot
    result.dbgstat == "disabled"
  }
}

Pass it with --relying-party-policy option